Framework to develop cyber-physical system behavior-based monitoring

ABSTRACT

Systems and methods may be associated with a cyber-physical system, and a blueprint repository data store may contain electronic files that represent behavior-based asset monitoring parameters for different cyber-physical system asset types. A behavior-based asset monitoring creation computer platform may receive an indication of an asset type of the cyber-physical system. The behavior-based asset monitoring creation computer platform may then search the blueprint repository data store and retrieve an electronic file representing behavior-based asset monitoring parameters for the asset type of the cyber-physical system to be monitored. The behavior-based asset monitoring creation computer platform may also receive, from the remote operator device, adjustments to the retrieved behavior-based asset monitoring parameters and automatically configure, based on the adjusted behavior-based asset monitoring parameters, at least a portion of settings for an abnormal detection model. The abnormal detection model may then be created about output to be executed by an abnormal detection platform.

BACKGROUND

Industrial control systems that operate physical systems (e.g.,associated with power turbines, jet engines, locomotives, autonomousvehicles, etc.) are increasingly connected to the Internet. As a result,these control systems have been increasingly vulnerable to threats, suchas cyber-attacks (e.g., associated with a computer virus, malicioussoftware, etc.) that could disrupt electric power generation anddistribution, damage engines, inflict vehicle malfunctions, etc. Currentmethods primarily consider attack detection in Information Technology(“IT,” such as, computers that store, retrieve, transmit, manipulatedata) and Operation Technology (“OT,” such as direct monitoring devicesand communication bus interfaces). Cyber-attacks can still penetratethrough these protection layers and reach the physical “domain” as seenin 2010 with the Stuxnet attack. Such attacks can diminish theperformance of a control system and may cause total shut down or evencatastrophic damage to a plant. Currently, no methods are available toautomatically detect, during a cyber-incident, attacks at the domainlayer where sensors, controllers, and actuators are located. In somecases, multiple attacks may occur simultaneously (e.g., more than oneactuator, sensor, or parameter inside control system devices might bealtered maliciously by an unauthorized party at the same time). Notethat some subtle consequences of cyber-attacks, such as stealthy attacksoccurring at the domain layer, might not be readily detectable (e.g.,when only one monitoring node, such as a sensor node, is used in adetection algorithm). It may also be important to determine when amonitoring node is experiencing a fault (as opposed to a maliciousattack) and, in some cases, exactly what type of fault is occurring.Existing approaches to protect an industrial control system, such asfailure and diagnostics technologies, may not adequately address theseproblems—especially when multiple, simultaneous attacks and/faults occursince such multiple faults/failure diagnostic technologies are notdesigned for detecting stealthy attacks in an automatic manner.

In some cases, behavior or feature based monitoring might be deployed tomonitor a cyber-physical system (e.g., to detect faults, cyber-attacks,etc.). Implementing such an approach for a new asset, however, mightinvolve manually identifying operation variables and operation space fornormal operation of the asset, manually reviewing and identifyingimportant physical measurements, manually defining attack scenarios,manually setting up Design Of Experiments parameters (“DOE”), etc. As aresult, this approach can be a time-consuming, error-prone, andexpensive process.

It would therefore be desirable to framework that helps developcyber-physical system behavior-based monitoring, such as cyber-attackdetection, in a quick, automatic, and accurate manner.

SUMMARY

According to some embodiments, systems and methods may be implementedassociated with a cyber-physical system to be monitored. A blueprintrepository data store may contain electronic files that representbehavior-based asset monitoring parameters for a number of differentcyber-physical system asset types. A behavior-based asset monitoringcreation computer platform may receive, from a remote operator device,an indication of an asset type of the cyber-physical system to bemonitored. The behavior-based asset monitoring creation computerplatform may then search the blueprint repository data store andretrieve an electronic file representing behavior-based asset monitoringparameters for the asset type of the cyber-physical system to bemonitored. The behavior-based asset monitoring creation computerplatform may also receive, from the remote operator device, adjustmentsto the retrieved behavior-based asset monitoring parameters andautomatically configure, based on the adjusted behavior-based assetmonitoring parameters, at least a portion of settings for an abnormaldetection model. The abnormal detection model may then be created andoutput to be executed by an abnormal detection platform.

Some embodiments comprise: means for receiving, at a behavior-basedasset monitoring creation computer from a remote operator device, anindication of an asset type of the cyber-physical system to bemonitored; means for searching, by the behavior-based asset monitoringcreation computer, a blueprint repository data store and retrieving anelectronic file representing behavior-based asset monitoring parametersfor the asset type of the cyber-physical system to be monitored, whereinthe blueprint repository data store contains electronic files thatrepresent behavior-based asset monitoring parameters for a number ofdifferent cyber-physical system asset types; means for receiving, fromthe remote operator device, adjustments to the retrieved behavior-basedasset monitoring parameters; and means for automatically configuring,based on the adjusted behavior-based asset monitoring parameters, atleast a portion of settings for an abnormal detection model to beexecuted by an abnormal detection platform.

Some technical advantages of some embodiments disclosed herein areimproved systems and methods to provide a framework that helps developcyber-physical system behavior-based monitoring, such as cyber-attackdetection, in a quick, automatic, and accurate manner.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a high-level block diagram of a system that may be provided inaccordance with some embodiments.

FIG. 2 is a method that may be provided in accordance with someembodiments.

FIG. 3 is a high-level block diagram of a system that may be provided inaccordance with some embodiments.

FIG. 4 is a model creation method according to some embodiments.

FIG. 5 is an abnormal alert method according to some embodiments.

FIG. 6 illustrates an off-line process in accordance with someembodiments.

FIG. 7 illustrates a real-time process according to some embodiments.

FIG. 8 is an example associated with a cyber-physical system engine inaccordance with some embodiments.

FIG. 9 illustrates three dimensions of sensor outputs in accordance withsome embodiments.

FIG. 10 is an abnormal alert system according to some embodiments.

FIGS. 11 through 13 illustrate boundaries and locations of featurevectors for various parameters in accordance with some embodiments.

FIG. 14 is an example of a global abnormality protection system inaccordance with some embodiments when multiple gas turbines are involvedin a system.

FIG. 15 is an overall framework structure according to some embodiments.

FIG. 16 illustrates a blueprint-based creation process in accordancewith some embodiments.

FIG. 17 is a method of determining whether an attack is an independentattack or dependent attack in accordance with some embodiments.

FIG. 18 is a causal dependency matrix of monitoring nodes according tosome embodiments.

FIG. 19 is a cyber-physical system protection system display inaccordance with some embodiments.

FIG. 20 is a cyber-physical system protection platform according to someembodiments.

FIG. 21 is portion of a tabular blueprint repository database inaccordance with some embodiments.

DETAILED DESCRIPTION

In the following detailed description, numerous specific details are setforth in order to provide a thorough understanding of embodiments.However, it will be understood by those of ordinary skill in the artthat the embodiments may be practiced without these specific details. Inother instances, well-known methods, procedures, components and circuitshave not been described in detail so as not to obscure the embodiments.

One or more specific embodiments of the present invention will bedescribed below. In an effort to provide a concise description of theseembodiments, all features of an actual implementation may not bedescribed in the specification. It should be appreciated that in thedevelopment of any such actual implementation, as in any engineering ordesign project, numerous implementation-specific decisions must be madeto achieve the developers' specific goals, such as compliance withsystem-related and business-related constraints, which may vary from oneimplementation to another. Moreover, it should be appreciated that sucha development effort might be complex and time consuming, but wouldnevertheless be a routine undertaking of design, fabrication, andmanufacture for those of ordinary skill having the benefit of thisdisclosure.

FIG. 1 is a high-level block diagram of a system 100 that may beprovided in accordance with some embodiments. The system 100 includes abehavior-based asset monitoring creation computer platform 150 that mayretrieve information from a blueprint repository data store 102. Thebehavior-based asset monitoring creation computer platform 150 may, forexample, retrieve behavior-based asset monitoring parameters and outputmodel parameters. That that, as used herein, the phrase “behavior-based”might refer to, for example, a feature-based (e.g., signature-based)system that utilizes features extracted from times series data createdby monitoring nodes (sensors, actuators, etc.) that sense real, physicalparameters of an industrial asset. The behavior-based asset monitoringcreation computer platform 150 may include a search engine 152 (e.g., tolocate potentially relevant blueprints) and/or a customization engine154 (e.g., to let an operator modify parameters). The process ofcreating model parameters might be performed automatically or beinitiated via a simple command from a remote user interface device. Asused herein, the term “automatically” may refer to, for example, actionsthat can be performed with little or no human intervention.

As used herein, devices, including those associated with the system 100and any other device described herein, may exchange information via anycommunication network which may be one or more of a Local Area Network(“LAN”), a Metropolitan Area Network (“MAN”), a Wide Area Network(“WAN”), a proprietary network, a Public Switched Telephone Network(“PSTN”), a Wireless Application Protocol (“WAP”) network, a Bluetoothnetwork, a wireless LAN network, and/or an Internet Protocol (“IP”)network such as the Internet, an intranet, or an extranet. Note that anydevices described herein may communicate via one or more suchcommunication networks.

The behavior-based asset monitoring creation computer platform 150 mightstore information into and/or retrieve information from various datastores (including the blueprint repository data store 102), which may belocally stored or reside remote from the behavior-based asset monitoringcreation computer platform 150. Although a single behavior-based assetmonitoring creation computer platform 150 is shown in FIG. 1, any numberof such devices may be included. Moreover, various devices describedherein might be combined according to embodiments of the presentinvention. For example, in some embodiments, the behavior-based assetmonitoring creation computer platform 150 and blueprint repository datastore 102 might comprise a single apparatus. The system 100 functionsmay be performed by a constellation of networked apparatuses, such as ina distributed processing or cloud-based architecture.

A user may access the system 100 via a remote device (e.g., a PersonalComputer (“PC”), tablet, or smartphone) to view information about and/ormanage pipeline information in accordance with any of the embodimentsdescribed herein. In some cases, an interactive graphical user interfacedisplay may let an operator or administrator define and/or adjustcertain parameters (e.g., to adjust pipeline parameters) and/or provideor receive automatically generated recommendations or results from thesystem 100.

FIG. 2 is a method that might be provided for the system 100 of FIG. 100in accordance with some embodiments. The flow charts described herein donot imply a fixed order to the steps, and embodiments of the presentinvention may be practiced in any order that is practicable. Note thatany of the methods described herein may be performed by hardware,software, or any combination of these approaches. For example, acomputer-readable storage medium may store thereon instructions thatwhen executed by a machine result in performance according to any of theembodiments described herein.

At S210, a behavior-based asset monitoring creation computer mayreceive, from a remote operator device, an indication of an asset type(e.g., a particular wind turbine model and manufacturer) of thecyber-physical system to be monitored. The indication might comprise,for example, a model number, a manufacturer, an asset description, akeyword, an asset image, etc. At S220, the behavior-based assetmonitoring creation computer may search a blueprint repository datastore and retrieve an electronic file representing behavior-based assetmonitoring parameters for the asset type of the cyber-physical system tobe monitored. According to some embodiments, the blueprint repositorydata store contains electronic files that represent behavior-based assetmonitoring parameters for a number of different cyber-physical systemasset types. The behavior-based asset monitoring parameters mightinclude, for example, a DOE matrix, attack scenarios, a behavior set,localization information, accommodation information, local behaviorsassociated with monitoring nodes, global behaviors, monitoring nodeinformation, etc. At S230, the system may receive, from the remoteoperator device, adjustments to the retrieved behavior-based assetmonitoring parameters. For example, an operator might decide to addparameters to blueprint data, delete parameters from the blueprint data,adjust blueprint data values, etc. In some embodiments, thebehavior-based asset monitoring parameters are associated with failuredetection for an industrial asset (e.g., to monitor when components arenot performing as expected). According to other embodiments, thefeature-based asset monitoring parameters might also (or instead) beassociated with cyber security attack detection for an industrial assetas described in connection with FIGS. 3 through 14.

At S240, the system may automatically configure, based on the adjustedfeature-based asset monitoring parameters, at least a portion ofsettings for an abnormal detection. As described herein, the automaticconfiguration might be associated with setting up a system model,identifying operation variables and defining the operation space fornormal operation of the asset, identifying physical measurements,defining attack scenarios, setting up experimental design informationassociated with DOE, etc. At S250, the system may create the abnormaldetection model using the automatically configured settings. At S260,the system may output the model that was created at S250 to be executedby an abnormal detection platform.

According to some embodiments, when an electronic file representingbehavior-based asset monitoring parameters for the asset type of thecyber-physical system to be monitored cannot be found in the blueprintrepository data store 102, the system may interact with a subject matterexpert to determine behavior-based asset monitoring parameters for theasset type of the cyber-physical system to be monitored. The system maythen store, into the blueprint repository data store 102, behavior-basedasset monitoring parameters for the asset type of the cyber-physicalsystem to be monitored.

In this way, a framework may be provided to quickly build an effectivebehavior-based monitoring system for new cyber-physical systemapplications. One component of the framework is the blueprint repositorydata store 102, where each blueprint, designed for a specific type ofindustrial asset, encapsulates the domain specific knowledge (e.g.,physical measurements, normal operation space, attack nodes andscenarios, required for data generation and feature discovery). Eachblueprint might also encapsulate attack detection modeling relatedinformation, such as the features and the detection model structure andparameters. Furthermore, each blueprint might containcodified/standardized workflow for data generation and attack detectionmodel building that may be readily executable. Such a framework, via auser-friendly display, may enable both subject matter experts andnon-subject matter expert users to quickly obtain an effective systemfor a given asset by simply choosing a matching asset from theblueprint, customizing it, and executing a data generation and modelingbuilding pipeline as described with respect to FIGS. 15 and 16.

Some examples of feature-based monitoring systems (e.g., to detectcyber-attacks) will now be provided in connection with FIGS. 3 through14. Consider, for example, FIG. 3 which illustrates a high-levelarchitecture of a system 300 in accordance with some embodiments. Thesystem 300 may include monitoring node sensors 310 MN₁ through MN_(N), a“normal space” data source 320, and an “abnormal space” data source 330.The normal space data source 320 might store, for each of the pluralityof monitoring nodes 310, a series of normal values over time thatrepresent normal operation of a cyber-physical system (e.g., generatedby a model or collected from actual sensor data as illustrated by thedashed line in FIG. 3). The abnormal space data source 330 might store,for each of the monitoring nodes 310, a series of abnormal values thatrepresent abnormal operation of the cyber-physical system (e.g., whenthe system is experiencing a cyber-attack or a fault).

Information from the normal space data source 320 and the abnormal spacedata source 330 may be provided to an abnormal detection model creationcomputer 360 that uses this data to create a decision boundary (that is,a boundary that separates normal behavior from threatened behavior). Thedecision boundary may then be used by an abnormal detection computer 350executing an abnormal detection model 355. The abnormal detection model355 may, for example, monitor streams of data from the monitoring nodes310 comprising data from sensor nodes, actuator nodes, and/or any othercritical monitoring nodes (e.g., sensor nodes MN₁ through MN_(N)) andautomatically output global and local abnormal alert signal to one ormore remote monitoring devices 370 when appropriate (e.g., for displayto an operator or to have the global and local information fused inaccordance with any of the embodiments described herein). As usedherein, the term “automatically” may refer to, for example, actions thatcan be performed with little or no human intervention. According to someembodiments, information about detected threats may be transmitted backto a cyber-physical system control system. Note that, according to someembodiments, the abnormal detection computer 350 and/or the abnormaldetection model creation computer 360 might utilize information storedin a blueprint repository data store 302 (e.g., as described withrespect to FIGS. 15 and 16) to facilitate creation of the abnormaldetection model 355.

FIG. 4 illustrates a model creation method that might be performed bysome or all of the elements of the system 300 described with respect toFIG. 3. At S410, the system may retrieve, for each of a plurality ofmonitoring nodes (e.g., sensor nodes, ac, controller nodes, etc.), aseries of normal values over time that represent normal operation of theCyber-Physical System (“CPS”) and a set of normal feature vectors may begenerated. Similarly, at S420 the system may retrieve, for each of theplurality of monitoring nodes, a series of abnormal (e.g., attacked)values over time that represent an abnormal operation of thecyber-physical system and a set of abnormal feature vectors may begenerated. The series of normal and/or abnormal values might beobtained, for example, by running DOE on a cyber-physical system (e.g.,in accordance with information in a blueprint repository data store). AtS430, a decision boundary may be automatically calculated for anabnormal detection model based on the set of normal feature vectors andthe set of abnormal features. According to some embodiments, thedecision boundary might be associated with a line, a hyperplane, anon-linear boundary separating normal space from threatened space,and/or a plurality of decision boundaries. Moreover, a decision boundarymight comprise a multi-class decision boundary separating normal space,attacked space, and degraded operation space (e.g., when a sensor faultoccurs). In addition, note that the abnormal detection model might beassociated with the decision boundary, feature mapping functions, and/orfeature parameters.

The decision boundary can then be used to detect abnormal operation(e.g., as might occur during cyber-attacks). For example, FIG. 5 is anabnormal alert method according to some embodiments. At S510, the systemmay receive, from a plurality of monitoring nodes, a series of currentvalues over time that represent a current operation of thecyber-physical system. At S520, an attack detection platform computermay then generate, based on the received series of current values, a setof current feature vectors. At S530, an abnormal detection model may beexecuted to transmit an abnormal alert signal based on the set ofcurrent feature vectors and a decision boundary when appropriate (e.g.,when a cyber-attack or fault is detected). According to someembodiments, one or more response actions may be performed when anabnormal alert signal is transmitted. For example, the system mightautomatically shut down all or a portion of the cyber-physical system(e.g., to let the detected potential cyber-attack be furtherinvestigated). As other examples, one or more parameters might beautomatically modified, a software application might be automaticallytriggered to capture data and/or isolate possible causes, etc.

Some embodiments described herein may take advantage of the physics of acontrol system by learning a priori from tuned high-fidelity equipmentmodels and/or actual “on the job” data to detect single or multiplesimultaneous adversarial threats to the system. Moreover, according tosome embodiments, all monitoring node data may be converted to featuresusing advanced feature-based methods, and the real-time operation of thecontrol system may be monitored in substantially real-time.Abnormalities may be detected by classifying the monitored data as being“normal” or disrupted (or degraded). This decision boundary may beconstructed using dynamic models and may help enable early detection ofvulnerabilities (and potentially avert catastrophic failures) allowingan operator to restore the control system to normal operation in atimely fashion.

Note that an appropriate set of multi-dimensional feature vectors, whichmay be extracted automatically (e.g., via an algorithm) and/or bemanually input, might comprise a good predictor of measured data in alow dimensional vector space. According to some embodiments, appropriatedecision boundaries may be constructed in a multi-dimensional spaceusing a data set which is obtained via scientific principles associatedwith DOE techniques. Moreover, multiple algorithmic methods (e.g.,support vector machines or machine learning techniques) may be used togenerate decision boundaries. Since boundaries may be driven by measureddata (or data generated from high-fidelity models), defined boundarymargins may help to create an abnormal zone in a multi-dimensionalfeature space. Moreover, the margins may be dynamic in nature andadapted based on a transient or steady state model of the equipmentand/or be obtained while operating the system as in self-learningsystems from incoming data stream. According to some embodiments, atraining method may be used for supervised learning to teach decisionboundaries. This type of supervised learning may take into account onoperator's knowledge about system operation (e.g., the differencesbetween normal and abnormal operation).

FIG. 6 illustrates an off-line boundary creation process 600 inaccordance with some embodiments. Information about threats, spoofing,attack vectors, vulnerabilities, etc. 610 may be provided to models 620and/or a training and evaluation database 650 created using DOEtechniques. The models 620 may, for example, simulate data 630 frommonitoring nodes to be used to compute features that are assembled intoa feature vector 640 to be stored in the training and evaluationdatabase 650. The data in the training and evaluation database 650 maythen be used to compute decision boundaries 660 to distinguish betweennormal operation and abnormal operation. According to some embodiments,the process 600 may include a prioritization of monitoring nodes andanticipated attack vectors to form one or more data sets to developdecision boundaries. Attack vectors are abnormal values at criticalinputs where malicious attacks can be created at the domain level thatwill make the system go into threatened/abnormal space. In addition, themodels 620 may comprise high-fidelity models that can be used to createa data set (e.g., a set that describes threat space as “levels of threatconditions in the system versus quantities from the monitoring nodes”).The data 630 from the monitoring nodes might be, for example, quantitiesthat are captured for a length of from 60 to 80 seconds from sensornodes, actuator nodes, and/or controller nodes (and a similar data setmay be obtained for “levels of normal operating conditions in the systemversus quantities from the monitoring nodes”). This process will resultin data sets for “abnormal space” and “normal space.” The 60 to 80seconds long quantities may be used to compute features 640 usingfeature engineering to create feature vectors. These feature vectors canthen be used to obtain a decision boundary that separates the data setsfor abnormal space and normal space (used to detect an anomaly such as acyber-attack or naturally occurring fault).

Since attacks might be multi-prong (e.g., multiple attacks might happenat once), DOE experiments may be designed to capture the attack space(e.g., using full factorial, Taguchi screening, central composite,and/or Box-Behnken as suggested by information in a blueprint repositorydata store 602). When models are not available, these DOE methods canalso be used to collect data from real-world asset control system.Experiments may run, for example, using different combinations ofsimultaneous attacks. Similar experiments may be run to create a dataset for the normal operating space. According to some embodiments, thesystem may detect “degraded” or faulty operation as opposed to a threator attack. Such decisions may require the use of a data set for adegraded and/or faulty operating space.

FIG. 7 illustrates a real-time process to protect a cyber-physicalsystem according to some embodiments. At S710, current data frommonitoring nodes may be gathered (e.g., in batches of from 60 to 80seconds). At S720, the system may compute features and form featurevectors. For example, the system might use weights from a principalcomponent analysis as features. At S730, an abnormal detection enginemay compare location of feature vectors to a decision boundary to make adetermination (and output an abnormal signal if necessary). According tosome embodiments, monitoring node data from models (or from realsystems) may be expressed in terms of features since features are ahigh-level representation of domain knowledge and can be intuitivelyexplained. Moreover, embodiments may handle multiple featuresrepresented as vectors and interactions between multiple sensedquantities might be expressed in terms of “interaction features.”

Note that many different types of features may be utilized in accordancewith any of the embodiments described herein, including principalcomponents (weights constructed with natural basis sets) and statisticalfeatures (e.g., mean, variance, skewness, kurtosis, maximum, minimumvalues of time series signals, location of maximum and minimum values,independent components, etc.). Other examples include deep learningfeatures (e.g., generated by mining experimental and/or historical datasets) and frequency domain features (e.g., associated with coefficientsof Fourier or wavelet transforms). Embodiments may also be associatedwith time series analysis features, such as cross-correlations,auto-correlations, orders of the autoregressive, moving average model,parameters of the model, derivatives and integrals of signals, risetime, settling time, neural networks, etc. Still other examples includelogical features (with semantic abstractions such as “yes” and “no”),geographic/position locations, and interaction features (mathematicalcombinations of signals from multiple monitoring nodes and specificlocations). Embodiments may incorporate any number of features, withmore features allowing the approach to become more accurate as thesystem learns more about the physical process and threat. According tosome embodiments, dissimilar values from monitoring nodes may benormalized to unit-less space, which may allow for a simple way tocompare outputs and strength of outputs.

FIG. 8 is an example 800 associated with a cyber-physical system inaccordance with some embodiments. In particular, the example includes acontroller and actuator portion 810 subject to actuator and controllerattacks, a gas turbine portion 820 subject to state attacks, and sensors830 subject to sensor attacks. By way of examples only, the sensors 830might comprise physical and/or virtual sensors associated withtemperatures, airflows, power levels, etc. The actuators might beassociated with, for example, motors. By monitoring the information inthe cyber-physical system, a threat detection platform may be able todetect cyber-attacks (e.g., feature vectors and a decision boundary)that could potentially cause a large amount of damage.

FIG. 9 illustrates 900 three dimensions of monitoring node outputs inaccordance with some embodiments. In particular, a graph 910 plotsmonitoring node outputs (“+”) in three dimensions, such as dimensionsassociated with Principal Component Features (“PCF”): w1, w2, and w3.Moreover, the graph 910 includes an indication of a normal operatingspace decision boundary 920. Although a single contiguous boundary 920is illustrated in FIG. 9, embodiments might be associated with multipleregions. Note that PCF information may be represented as weights inreduced dimensions. For example, data from each monitoring node may beconverted to low dimensional features (e.g., weights). According to someembodiments, monitoring node data is normalized as follows:

${S_{normalized}(k)} = \frac{{S_{nominal}(k)} - {S_{original}(k)}}{{\overset{\_}{S}}_{nominal}}$where S stands for a monitoring node quantity at “k” instant of time.Moreover, output may then be expressed as a weighted linear combinationof basis functions as follows:

$S = {S_{0} + {\sum\limits_{j = 1}^{N}\;{w_{i}\Psi_{j}}}}$

where S₀ is the average monitoring node output with all threats, w_(j)is the j^(th) weight, and ψ_(j) is the j^(th) basis vector. According tosome embodiments, natural basis vectors are obtained using a covarianceof the monitoring nodes' data matrix. Once the basis vectors are known,weight may be found using the following equation (assuming that thebasis sets are orthogonal):w _(j)=(S−S ₀)^(T)ψ_(j)Note that weights may be an example of features used in a featurevector.

Thus, embodiments may enable the passive detection of indications ofmulti-class abnormal operations using real-time signals from monitoringnodes. Moreover, the detection framework may allow for the developmentof tools that facilitate proliferation of the invention to varioussystems (e.g., turbines) in multiple geolocations. According to someembodiments, distributed detection systems enabled by this technology(across multiple types of equipment and systems) will allow for thecollection of coordinated data to help detect multi-prong attacks. Notethat the feature-based approaches described herein may allow forextended feature vectors and/or incorporate new features into existingvectors as new learnings and alternate sources of data become available.As a result, embodiments may detect a relatively wide range ofcyber-threats (e.g., stealth, replay, covert, injection attacks, etc.)as the systems learn more about their characteristics. Embodiments mayalso reduce false positive rates as systems incorporate useful key newfeatures and remove ones that are redundant or less important. Note thatthe detection systems described herein may provide early warning tocyber-physical system operators so that an attack may be thwarted (orthe effects of the attack may be blunted), reducing damage to equipment.

According to some embodiments, a system may further localize an originof a threat to a particular monitoring node. For example, the localizingmay be performed in accordance with a time at which a decision boundaryassociated with one monitoring node was crossed as compared to a time atwhich a decision boundary associated with another monitoring node wascrossed. According to some embodiments, an indication of the particularmonitoring node might be included in a threat alert signal.

Some embodiments of the algorithm may utilize feature-based learningtechniques based on high-fidelity physics models and/or machineoperation data (which would allow the algorithm to be deployed on anysystem) to establish a high dimensional decision boundary. As a result,detection may occur with more precision using multiple signals, makingthe detection more accurate with less false positives. Moreover,embodiments may detect multiple attacks on control signals, andrationalize where the root cause attack originated. For example, thealgorithm may decide if a signal is anomalous because of a previoussignal attack, or if it is instead independently under attack. This maybe accomplished, for example, by monitoring the evolution of thefeatures as well as by accounting for time delays between attacks.

A cyber-attack detection and localization algorithm may process areal-time cyber-physical system signal data stream and then computefeatures (multiple identifiers) which can then be compared to thesignal-specific decision boundary. A block diagram of a system 1000utilizing a signal-specific cyber-physical system abnormality detectionand localization algorithm according to some embodiments is provided inFIG. 10. In particular, a gas turbine 1032 provides information tosensors 1034 which helps controllers with electronics and processors1036 adjust actuators 1038. A threat detection system 1060 may includeone or more high-fidelity physics-based models 1042 associated with theturbine 1032 to create normal data 1010 and/or abnormal data 1020. Thenormal data 1010 and abnormal data 1020 may be accessed by a featurediscovery component 1044 and processed by decision boundary algorithms1046 while off-line (e.g., not necessarily while the gas turbine 1032 isoperating). Note that the feature discovery component 1044 and/ordecision process boundary algorithms 1046 (as well as other componentsof the system 1000) may utilize information from a blueprint repositorydata store (e.g., associated with a similar turbine 1032). The decisionboundary algorithms 1046 may generate an abnormal model includingdecision boundaries for various monitoring nodes. Each decision boundarymay separate two data sets in a high dimensional space which isconstructed by running a binary classification algorithm, such as asupport vector machine using the normal data 1010 and abnormal data 1020for each monitoring node signal (e.g., from the sensors 1034,controllers 1036, and/or the actuators 1038).

A real-time threat detection platform 1050 may receive the boundariesalong with streams of data from the monitoring nodes. The platform 1050may include a feature extraction on each monitoring node element 1052and a normalcy decision 1054 with an algorithm to detect attacks inindividual signals using signal specific decision boundaries, as wellrationalize attacks on multiple signals, to declare which signals wereattacked (or are otherwise abnormal), and which became anomalous due toa previous attack on the system via a localization module 1056. Anaccommodation element 1058 may generate outputs 1070, such as an anomalydecision indication (e.g., an abnormal) alert signal, a controlleraction, and/or a list of abnormal monitoring nodes.

During real-time detection, contiguous batches of control signal datamay be processed by the platform 1050, normalized and the feature vectorextracted. The location of the vector for each signal inhigh-dimensional feature space may then be compared to a correspondingdecision boundary. If it falls within the abnormal region, then acyber-attack may be declared. The algorithm may then make a decisionabout where the attack originally occurred. An attack may sometimes beon the actuators 1038 and then manifested in the sensor 1034 data.Attack assessments might be performed in a post decision module (e.g.,the localization element 1056) to isolate whether the attack is relatedto the sensor, controller, or actuator (e.g., indicating which part ofthe monitoring node). This may be done by individually monitoring,overtime, the location of the feature vector with respect to the harddecision boundary. For example, when a sensor 1034 is spoofed, theattacked sensor feature vector will cross the hard decision boundaryearlier than the rest of the vectors as described with respect to FIGS.11 through 13. If a sensor 1034 is declared to be anomalous, and acommand to the auxiliary equipment is later determined to be anomalous,it may be determined that the original attack, such as signal spoofing,occurred on the sensor 1034. Conversely, if the signal to the auxiliaryequipment was determined to be anomalous first, and then latermanifested in the sensor 1034 feedback signal, it may be determined thatthe signal to the equipment was initially attacked.

According to some embodiments, it may be detected whether or not asignal is in the normal operating space (or abnormal space) through theuse of localized decision boundaries and real-time computation of thespecific signal features. Moreover, an algorithm may differentiatebetween a sensor being attacked as compared to a signal to auxiliaryequipment being attacked. The control intermediary parameters andcontrol logical(s) may also be analyzed using similar methods. Note thatan algorithm may rationalize signals that become anomalous. An attack ona signal may then be identified.

FIG. 11 illustrates 1100 boundaries and feature vectors for variousmonitoring node parameters in accordance with some embodiments. Inparticular, for each parameter a graph includes a first axisrepresenting value weight 1 (“w1”), a feature 1, and a second axisrepresenting value weight 2 (“w2”), a feature 2. Values for w1 and w2might be associated with, for example, outputs from a PrincipalComponent Analysis (“PCA”) that is performed on the input data. PCAmight be one of the features that might be used by the algorithm tocharacterize the data, but note that other features could be leveraged.

A graph is provided for compressor discharge temperature 1111,compressor pressure ratio 1120, compressor inlet temperature 1130, fuelflow 1140, generator power 1150, and gas turbine exhaust temperature1160. Each graph includes a hard boundary 1113 (solid curve), minimumboundary 1116 (dotted curve), and maximum boundary 1114 (dashed curve)and an indication associated with current feature location for eachmonitoring node parameter (illustrated with an “X” on the graph). Asillustrated in FIG. 11, the current monitoring node location is betweenthe minimum and maximum boundaries (that is, the “X” is between thedotted and dashed lines). As a result, the system may determine that theoperation of the industrial asset control system is normal (and nothreat is being detected indicating that the system is currently underattack).

FIG. 12 illustrates 1200 subsequent boundaries and feature vectors forthese parameters. Consider, for example, a feature vector movement 1213for the compressor discharge pressure. Even though feature vector 1213has moved, it is still within the maximum and minimum boundaries and, asa result, normal operation of that monitoring node may be determined.This is the case for the first five graphs in FIG. 12. In this example,a feature vector movement 1262 for the gas turbine exhaust temperaturehas exceeded with maximum boundary and, as a result, abnormal operationof that monitoring node may be determined. For example, a threat mayexist for the exhaust temperature scale factor, which is a correctivevalue. The result is that the feature for the intermediary monitoringnode signal feature vector illustrated in FIG. 12 moves 1262 such thatit is anomalous. The algorithm detects this cyber-attack, and twoparallel actions might be initiated. One action may be post processingof the signal to discover what was attacked, in this case if the systemhas been monitoring each exhaust thermocouple, it may conclude that noneof them are currently abnormal. Therefore, it may be determined thatsomething used to calculate this feature was attacked. The other actionmay be to continually monitor and detect additional attacks. Such anapproach may facilitate a detection of multiple signal attacks.

Given the example of FIG. 12, assume that the gas turbine exhausttemperature signal was attacked. This may cause the system to respond insuch a way so as to put other signals into an abnormal state. This isillustrated 1300 in FIG. 13, where the attack has already been detectedand now other signals shown to be abnormal. In particular, featuremovement for the compressor discharge pressure 1313, compressor pressureratio 1322, compressor inlet temperature 1332, and fuel flow 1342 haveall become abnormal (joining the feature vector for the gas turbineexhaust temperature 1362). Note that the feature vector for generatorpower did not become abnormal. In order to decide whether or not thesesignals 1313, 1322, 1332, 1342 are truly currently under attack, ahistorical batch with pertinent feature vector information may be keptfor some duration of time. Then when an attack is detected on anothersignal, this batch is examined, and the time at which the confirmedattack on gas turbine exhaust temperature as well as several subsequentelements is analyzed.

Note that one signal rationalization might be associated with a systemtime delay. That is, after a sensor is attacked there might be a periodof time before the system returns to a steady state. After this delay,any signal that becomes anomalous might be due to an attack as opposedto the system responding.

Current methods for detecting abnormal conditions in monitoring nodesare limited to Fault Detection Isolation and Accommodation (“FDIA”),which itself is very limited. The hybrid cyber-attack detection andlocalization algorithms described herein can not only detect abnormalsignals of sensors, but can also detect signals sent to auxiliaryequipment, control intermediary parameters and/or control logical(s).The algorithms may also understand multiple signal attacks. Onechallenge with correctly identifying a cyber-attack threat is that itmay occur with multiple sensors being impacted by malware. According tosome embodiments, an algorithm may identify in real-time that an attackhas occurred, which sensor(s) are impacted, and declare a faultresponse. To achieve such a result, the detailed physical response ofthe system must be known to create acceptable decision boundaries. Thismight be accomplished, for example, by constructing data sets for normaland abnormal regions by running DOE experiments on high-fidelity models.A data set for each sensor might comprise a feature vector for giventhreat values (e.g., temperature, airflow, etc.). Full factorial,Taguchi screening, central composite and Box-Behnken are some of theknown design methodologies used to create the attack space. When modelsare not available, these DOE methods are also used to collect data fromreal-world cyber-physical systems. Experiments may be run at differentcombinations of simultaneous attacks. In some embodiments, the systemmay detect degraded/faulty operation as opposed to a cyber-attack. Suchdecisions might utilize a data set associated with a degraded/faultyoperating space. At the end of this process, the system may create datasets such as “attack v/s normal” and “degraded v/s normal” for use whileconstructing decision boundaries. Further note that a decision boundarymay be created for each signal using data sets in feature space. Variousclassification methods may be used to compute decision boundaries. Forexample, binary linear and non-linear supervised classifiers areexamples of methods that could be used to obtain a decision boundary.

Note that multiple vector properties might be examined, and theinformation described with respect to FIGS. 11 through 13 may beprocessed to determine if the signal had been trending in a specificdirection as the attack was detected (or if it had just been moving dueto noise). Had the signal been uniformly trending as the attack tookplace and afterward, then this signal is a response to the originalattack and not an independent attack.

According to some embodiments, the system may localize or otherwiseanalyze an origin of the threat to a particular monitoring node. Forexample, the localizing may be performed in accordance with a time atwhich a decision boundary associated with one monitoring node wascrossed as compared to a time at which a decision boundary associatedwith another monitoring node was crossed. According to some embodiments,an indication of the particular monitoring node might be included in thethreat alert signal.

Some embodiments described herein may take advantage of the physics of acyber-physical system by learning a priori from tuned high-fidelityequipment models and/or actual “on the job” data to detect single ormultiple simultaneous adversarial threats to the system. Moreover,according to some embodiments, all monitoring node data may be convertedto features using advanced feature-based methods, and the real-timeoperation of the cyber-physical system may be monitored in substantiallyreal-time. Abnormalities may be detected by classifying the monitoreddata as being “normal” or disrupted (or degraded). This decisionboundary may be constructed using dynamic models and may help to enableearly detection of vulnerabilities (and potentially avert catastrophicfailures) allowing an operator to restore the cyber-physical system tonormal operation in a timely fashion.

Thus, some embodiments may provide an advanced anomaly detectionalgorithm to detect cyber-attacks on, for example, key cyber-physicalsystem control sensors. The algorithm may identify which signals(s) arebeing attacked using control signal-specific decision boundaries and mayinform a cyber-physical system to take accommodative actions. Inparticular, a detection and localization algorithm might detect whethera sensor, auxiliary equipment input signal, control intermediaryparameter, or control logical are in a normal or anomalous state. Someexamples of cyber-physical system monitoring nodes that might beanalyzed include: critical control sensors; control system intermediaryparameters; auxiliary equipment input signals; and/or logical commandsto controller.

A cyber-attack detection and localization algorithm may process areal-time cyber-physical system signal data stream and then computefeatures (multiple identifiers) which can then be compared to the sensorspecific decision boundary. In some embodiments, generating features mayinvolve simply performing an identity transform. That is, the originalsignal might be used as it is.

Feature vectors may be generated on a monitoring-node-by-monitoring nodebasis and may be considered “local” to each particular monitoring node.FIG. 14 is an example of a “global” abnormality protection system 1400in accordance with some embodiments when multiple gas turbines areinvolved in a system. In particular, the system 1400 includes threeturbines (A, B, and C) and batches of values 1410 from monitoring nodesare collected for each generated over a period of time (e.g., 60 to 80seconds). According to some embodiments, the batches of values 1410 frommonitoring nodes overlap in time. The values 1410 from monitoring nodesmay, for example, be stored in a matrix 1420 arranged by time (t₁, t₂,etc.) and by type of monitoring node (S₁, S₅, etc.) and might beselected in accordance with information from a blueprint repository datastore (e.g., information associated with a similar type of asset).Feature engineering components 1430 may use information in each matrix1420 to create a feature vector 1440 for each of the three turbines(e.g., the feature vector 1440 for turbine C might include FS_(C1),FS_(C2), etc.). The three feature vectors 1440 may then be combined intoa single global feature vector 1450 for the system 1400. Interactionfeatures 1460 may be applied (e.g., associated with A*B*C, A+B+C, etc.)and an anomaly detection engine 1470 may compare the result with adecision boundary and output a global abnormal alert signal whenappropriate.

Note that industrial control systems (e.g., gas turbines, wind turbines,etc.) may largely exhibit transit behaviors due to the transient andstochastic natures of their disturbances, set-points, or driving forces(e.g., wind). As a result, it may be helpful to capture effectivefeatures for abnormality classification, both at the global (system) andlocal (node) levels. Feature discovery techniques mostly rely on datadriven approaches, resulting in outcomes such as shallow (e.g.,statistical) or deep learning-based features.

Some embodiments may utilize time-series data from a collection ofmonitoring nodes (sensor, actuator, or controller nodes) and extractfeatures from the time series data for each monitoring node. The term“feature” may refer to, for example, mathematical characterizations ofdata. Examples of features as applied to data might include the maximumand minimum, mean, standard deviation, variance, settling time, FFTspectral components, linear and non-linear principal components,independent components, sparse coding, deep learning, etc. The type andnumber of features for each monitoring node might be optimized usingdomain-knowledge, feature engineering, or ROC statistics. The localfeatures for each monitoring node may be stacked to create a globalfeature vector (as described in connection with FIG. 14. The globalfeature vector may also contain interactive feature involving two ormore monitoring nodes (e.g., a cross-correlation between two nodes). Thefeatures may be normalized, and the dimension of the global featurevector can then be further reduced using any dimensionality reductiontechnique, such as PCA. The features may be calculated over a slidingwindow of the signal time series, with the length of the window and theduration of slide being determined from domain knowledge, inspection ofthe data, and/or batch processing.

To facilitate the creation of an appropriate monitoring model, FIG. 15is an overall framework structure 1500 according to some embodiments. Ablueprint repository data store 1502 may contain behavior-based assetmonitoring parameters for various types of industrial assets (e.g.,associated with setting up a system model, identifying operationvariables and defining the operation space for normal operation of theasset, identifying physical measurements, defining attack scenarios,setting up experimental design information associated with DOE, etc.).Information about a particular asset 1510 may be input into the system(e.g., an asset name, type, identifier, a description, a manufacturer,etc.). If at 1520 it is determined that the particular asset type isalready in the blueprint repository data store 1502, a blueprint-basedcreation process may be executed at 1540 (described in more detail inconnection with FIG. 16) using knowledge retrieved from the blueprintrepository data store 1502 (e.g., a DOE matrix, attack scenarios,feature sets, etc.). The asset monitoring system may then be deployed at1550.

If it is instead determined at 1520 that that the particular asset typeis not already in the blueprint repository data store 1502, aknowledge-based creation process may be executed at 1530. In this case,a subject matter expert might help define a DOE matrix, attackscenarios, feature sets, etc. When completed, the information about theasset may be used to construct a blueprint that then be stored in theblueprint repository data store 1502 (and used in the future when asimilar asset needs to be monitored). The asset monitoring system maythen be deployed at 1550.

FIG. 16 illustrates a blueprint-based creation process 1600 inaccordance with some embodiments. Once the blueprint for the targetasset is identified from a blue print repository, and prior to executinga creation pipeline 1650 to build the model, the identified blueprintcan be customized 1610 based on the target asset information. Forexample, the number of sensor measurements may be different for thetarget asset as compared to the blueprint. Thus, the blueprint-basedcreation process 1600 may let a user to add or delete sensormeasurements as appropriate. With the customized blueprint, the creationpipeline (e.g., an automated process) can then be executed.

According to some embodiments, the creation 1650 pipeline includes threemodules: data generation 1660 (e.g., to create data 1670 such as normaldata 1010 and abnormal data 1020), feature calculation 1680, and attackdetection model building 1690. In conventional monitoring modeldevelopment, data generation might take a majority of time and effort ofthe entire development process (e.g., 60% of the time and effort). Itinvolves tasks like: 1) setting up a system model, 2) identifyingoperation variables and defining an operation space (range) for normaloperation, 3) identifying which physical measurements are needed, 4)defining attack scenarios, 5) setting up experimental design, i.e., DOE,and 6) running the system model to generate data for various cases(which might require strong domain knowledge). In the creation pipeline1650, those knowledge-heavy tasks (e.g., tasks 1 thru 5) may bepredefined and encapsulated within the blueprint. As a result, a usermight generate data by simply running the system model for the casesdefined by the DOE matrix. Note that the system model could be either afunction object stored in the blueprint or a user provided function thatis directly linked to the data generation module 1660.

With the data 1670 being generated by the data generation module 1660and the feature functions defined in the blueprint, the featurecalculation module 1680 might simply apply the defined feature functionsto the data 1670 to obtain the feature matrices for both normal andattack datasets 1010, 1020, respectively. Once these feature matricesare available, the creation pipeline 1650 may automatically invoke theattack detection model building module 1690, which might train and testthe attack detection model based on the feature matrices. The structureand parameters of the attack detection model might also be defined inthe blueprint.

After appropriate feature vectors are computed, classification decisionboundaries for localization may be developed, e.g. as described withrespect to FIGS. 17 and 18. According to some embodiments, informationto facilitate this process might also be included in an appropriateblueprint. For example, FIG. 17 is a method of determining whether anattack is an independent attack or dependent attack in accordance withsome embodiments. According to some embodiments, three tests may beperformed to determine if an attack should be classified as an“independent attack” or a “dependent attack:” (1) a causal dependencytest, (2) a propagation path test, and (3) a time separation test. Someor all of the information about these three tests could be stored withina blueprint for a particular type of asset. Together, these three testsmay be referred to herein as an “attack dependency conformance test.” AtS1710, a causal dependency matrix may be used to determine if thecurrent attack was potentially caused by a previous attack. If thecurrent attack could not have been caused by a previous attack at S1710,it is classified as an “independent attack” at S1720. In this causalitytest, the system may check whether there is a potential causaldependency between the newly detected attack and any previously detectedattack on other monitoring nodes. This check might be based on, forexample, a binary matrix of causal dependencies between any two nodes(e.g., as described with respect to FIG. 18). The causal dependencymatrix might be generated, according to some embodiments, based ondomain knowledge. FIG. 18 is a causal dependency matrix 1800 ofmonitoring nodes according to some embodiments. In this case, there iscausal dependency and a direct proportion path from CTD to CPD. Thematrix 1800 lists each potential attack node and whether or not thatnode can have an effect on each other node (with a “1” indicating apotential effect and a “0” indicating no potential effect as definewithin a blueprint). Referring again to FIG. 17, if no such possibledependencies exist the attack is reported as an “independent attack” atS1720. Otherwise, the system may perform a second check.

At S1730 a propagation paths map may be used to determine if the currentattack potentially propagated from a previous attack. If the currentattack could not have propagated from a previous attack at S1730, it isclassified as an “independent attack” at S1720. In this propagationtest, for each causal dependency the system may check whether apropagation path is fulfilled. This might mean that, for example, if theeffect of node 1 being under attack is propagated to node 4, throughnode 3, then an anomaly in node 1 can cause an anomaly on node 4 only ifnode 3 is already anomalous. The anomaly propagation paths might also bedefined by domain knowledge and pre-stored in the localization system.If no such propagation paths are fulfilled, then the attack is reportedan “independent attack” at S1720. Otherwise, the system may perform thethird check.

At S1740, control loops time constraints may be used to determine if thecurrent attack was potentially caused by a previous attack based on timeseparation. If the current attack could not have been caused by aprevious attack based on time separation at S1740, it is classified asan “independent attack” at S1720. This time separation test may utilizethe fact that if the attacked monitoring under investigation is anartifact of the closed-loop feedback system, then the effect shouldarise within a time window between the rise time and the settling timeof the control loop corresponding to the monitoring node. However, sincethe system uses a dynamic estimator, a propagation time may need to beadded throughout the estimator. Using n features, and p lags in themodels, the dynamic estimator will have n*p states, and therefore addsn*p sampling times delay into the system. Therefore, the expected timewindow for a dependent attack to occur might be defined by:1.5*τ+n*p<Δt<5*τ+n*pwhere Δt is the time after any previously detected attacks on othernodes that has passed checks 1 and 2, and τ is the time constant of thecontrol loop responsible for the current node under investigation. Ifsuch a time-separation check is not passed, the system reports theattack as an independent attack at S1720.

If it is determined at S1750 that the current attack meets the timeseparation test (and, therefore, also meets both the propagation test ofS1730 and the causal dependency test of S1740), the current attack isclassified as a “dependent attack” at S1750.

Note that other attack and anomaly detection techniques may only providea binary status of the overall system (whether it is under attack ornot). Embodiments described herein may also provide an additional layerof information by localizing the attack and determining not only if thesystem is under attack (or not) but also which node is exactly underattack. Note that attack localization information may be important whenresponding to the attack, including operator action plans and resilientcontrol under attack. Embodiments described herein may handle multiplesimultaneous anomalies in the system, which is beyond the capability ofthe conventional fault detection systems. This may also let theapproaches described herein be used as a fault detection and isolationtechnique for more sophisticated, multiple-fault scenarios. Further,distributed detection and localization systems enabled by embodimentsdescribed herein across multiple equipment and systems may allow for acoordination of data to detect and precisely pin-point coordinatedmulti-prong attacks. This may further enable a relatively quick way toperform forensics and/or analysis after an attack.

Note that some embodiments may analyze information in the feature space,which has many advantages over working in the original signal spaces,including high-level data abstraction and modeling high dimensionalspaces without adding substantial computational complexity. Thefeature-based method for localization may also extend feature vectorsand/or incorporate new features into existing vectors as new learningsor alternate sources of data become available. Embodiments describedherein may also enable use of heterogeneous sensor data in a large scaleinterconnected system, even when the data comes from many geospatiallylocated heterogeneous sensors (i.e., conventional plant sensors,unconventional sensors such as cell-phone data, logical, etc.). This mayoffer additional commercial advantages for post-mortem analysis after anattack.

FIG. 19 is an example of a cyber-physical system protection display 1900that might be used, for example, to provide a graphical depiction 1910to an operator and/or to provide an interactive interface allowing anadministrator to adjust system components as appropriate. Selection ofan element on the display 1900 (e.g., via a touchscreen or computermouse pointer 1920) may let the operator see more information about thatparticular element (e.g., in a pop-up window) and/or adjust operation ofthat element (e.g., by altering data to customize a blueprint). A usermight enter text, such as a search term, into a search box 1930 to helplocation an appropriate blueprint within a blueprint data repository.The display 1900 might also include a user-selectable “Create” icon thatinitiates execution of a model creation pipeline.

Note that the embodiments described herein may be implemented using anynumber of different hardware configurations. For example, FIG. 20 is ablock diagram of a cyber-physical system protection platform 2000 thatmay be, for example, associated with the systems 100, 300 of FIGS. 1 and3, respectively, and/or any other system described herein. Thecyber-physical system protection platform 2000 comprises a processor2010, such as one or more commercially available Central ProcessingUnits (“CPUs”) in the form of one-chip microprocessors, coupled to acommunication device 2020 configured to communicate via a communicationnetwork (not shown in FIG. 20). The communication device 2020 may beused to communicate, for example, with one or more remote monitoringnodes, user platforms, digital twins, etc. The cyber-physical systemprotection platform 2000 further includes an input device 2040 (e.g., acomputer mouse and/or keyboard to input cyber-physical system parametersand/or modeling information) and/an output device 2050 (e.g., a computermonitor to render a display, provide alerts, transmit recommendations,and/or create reports). According to some embodiments, a mobile device,monitoring physical system, and/or PC may be used to exchangeinformation with the cyber-physical system protection platform 2000.

The processor 2010 also communicates with a storage device 2030. Thestorage device 2030 may comprise any appropriate information storagedevice, including combinations of magnetic storage devices (e.g., a harddisk drive), optical storage devices, mobile telephones, and/orsemiconductor memory devices. The storage device 2030 stores a program2012 and/or a cyber-physical system protection engine 2014 forcontrolling the processor 2010. The processor 2010 performs instructionsof the programs 2012, 2014, and thereby operates in accordance with anyof the embodiments described herein. For example, the processor 2010 mayaccess a blueprint repository data store that contains electronic filesrepresenting behavior-based asset monitoring parameters for a number ofdifferent cyber-physical system asset types. The processor 2010 mayreceive, from a remote operator device, an indication of an asset typeof the cyber-physical system to be monitored. The processor 2010 maythen search the blueprint repository data store and retrieve anelectronic file representing behavior-based asset monitoring parametersfor the asset type of the cyber-physical system to be monitored. Theprocessor 2010 may also receive, from the remote operator device,adjustments to the retrieved behavior-based asset monitoring parametersand automatically configure, based on the adjusted behavior-based assetmonitoring parameters, at least a portion of settings for an abnormaldetection model to be executed by an abnormal detection platform.

The programs 2012, 2014 may be stored in a compressed, uncompiled and/orencrypted format. The programs 2012, 2014 may furthermore include otherprogram elements, such as an operating system, clipboard application, adatabase management system, and/or device drivers used by the processor2010 to interface with peripheral devices.

As used herein, information may be “received” by or “transmitted” to,for example: (i) the cyber-physical system protection platform 2000 fromanother device; or (ii) a software application or module within thecyber-physical system protection platform 2000 from another softwareapplication, module, or any other source.

In some embodiments (such as the one shown in FIG. 20), the storagedevice 2030 further stores a cyber-physical system database 2100. Anexample of a database that may be used in connection with thecyber-physical system protection platform 2000 will now be described indetail with respect to FIG. 21. Note that the database described hereinis only one example, and additional and/or different information may bestored therein. Moreover, various databases might be split or combinedin accordance with any of the embodiments described herein.

Referring to FIG. 21, a table is shown that represents the blueprintrepository database 2100 that may be stored at the cyber-physical systemprotection platform 2000 according to some embodiments. The table mayinclude, for example, entries identifying cyber-physical systems to beprotected. The table may also define fields 2102, 2104, 2106, 2108,2110, 2112 for each of the entries. The fields 2102, 2104, 2106, 2108,2110, 2112 may, according to some embodiments, specify: a blueprintidentifier 2102, a cyber-physical system description 2104, monitoringnode identifiers 2106, operation variables and space 2108, attackscenarios 2110, and a DOE matrix 2112. The blueprint repository database2100 may be created and updated, for example, when a new physical systemis monitored or modeled, a blueprint is customized by a user, etc.

The blueprint identifier 2102 and description 2104 may define aparticular asset or system that will be protected. The description 2104may be associated with a particular type of industrial asset be used tohelp locate an appropriate blueprint. The monitoring node identifiers2106 may specify a set of sensors, actuators, etc. that provide a timeseries of values describing the operation of the cyber-physical system.The operation variables and space 2108, attack scenarios 2110, and DOEmatrix 2112 may be used by a creation pipeline (e.g., aftercustomization) to automatically create an appropriate monitoring modelfor an asset.

Thus, embodiments may be associated with technical improvements tocyber-physical system protection by providing a framework for quicklybuilding and deploying asset monitoring for cyber-physical systemapplications. In particular, a blueprint repository may encapsulatedomain knowledge required for building asset monitoring systems via anautomated model building pipeline. According to some embodiments, thegeneric framework may be used with a wide range of applications andenable shortened time-to-value aspects of asset modeling while stillproviding high detection performance.

The following illustrates various additional embodiments of theinvention. These do not constitute a definition of all possibleembodiments, and those skilled in the art will understand that thepresent invention is applicable to many other embodiments. Further,although the following embodiments are briefly described for clarity,those skilled in the art will understand how to make any changes, ifnecessary, to the above-described apparatus and methods to accommodatethese and other embodiments and applications.

Although specific hardware and data configurations have been describedherein, note that any number of other configurations may be provided inaccordance with embodiments of the present invention (e.g., some of theinformation associated with the databases described herein may becombined or stored in external systems). Moreover, although someembodiments are focused on gas turbines, any of the embodimentsdescribed herein could be applied to other types of cyber-physicalsystems including power grids, dams, locomotives, additive printers,data centers, airplanes, and autonomous vehicles (including automobiles,trucks, drones, submarines, etc.).

The present invention has been described in terms of several embodimentssolely for the purpose of illustration. Persons skilled in the art willrecognize from this description that the invention is not limited to theembodiments described but may be practiced with modifications andalterations limited only by the spirit and scope of the appended claims.

The invention claimed is:
 1. A system associated with a cyber-physicalsystem to be monitored, comprising: a blueprint repository data storecontaining electronic files that represent behavior-based assetmonitoring parameters, associated with failure detection for anindustrial asset, for a number of different cyber-physical system assettypes; and a behavior-based asset monitoring creation computer platformhaving a memory and a computer processor adapted to: receive, from aremote operator device, an indication of an asset type of thecyber-physical system to be monitored, search the blueprint repositorydata store and retrieve an electronic file representing behavior-basedasset monitoring parameters for the asset type of the cyber-physicalsystem to be monitored, receive, from the remote operator device,adjustments to the retrieved behavior-based asset monitoring parameters,automatically configure, based on the adjusted behavior-based assetmonitoring parameters, at least a portion of settings for an abnormaldetection model, create the abnormal detection model using theautomatically configured settings, including: receive, by a featuresextraction computer platform from a normal space data source, a seriesnormal monitoring node values and generate a set of normal featurevectors, the normal space data source storing, for each of a pluralityof monitoring nodes, a series of normal monitoring node values over timethat represent normal operation of the cyber-physical system, receive,by the features extraction computer platform from an abnormal space datasource, a series of abnormal monitoring node values and generate a setof abnormal feature vectors, the abnormal space data source storing, foreach of the plurality of monitoring nodes, a series of abnormalmonitoring node values over time that represent abnormal operation ofthe cyber-physical system, and automatically calculate and output atleast one decision boundary and a causal dependency matrix for theabnormal detection model based on the set of normal feature vectors, theset of abnormal feature vectors, and the automatically configuredsettings, and output the abnormal detection model and causal dependencymatrix to be executed by an abnormal detection platform.
 2. The systemof claim 1, wherein the behavior-based asset monitoring parameters areassociated with cyber security attack detection for the industrialasset.
 3. The system of claim 1, wherein the behavior-based assetmonitoring creation computer platform is further adapted to: when anelectronic file representing behavior-based asset monitoring parametersfor the asset type of the cyber-physical system to be monitored cannotbe found in the blueprint repository data store: interact with a subjectmatter expert to determine behavior-based asset monitoring parametersfor the asset type of the cyber-physical system to be monitored, andstore, into the blueprint repository data store, behavior-based assetmonitoring parameters for the asset type of the cyber-physical system tobe monitored.
 4. The system of claim 1, wherein the behavior-based assetmonitoring parameters for the asset type of the cyber-physical system tobe monitored include at least one of: (i) a Design Of Experiments(“DOE”) matrix, (ii) attack scenarios, (iii) a feature set, (iv)localization information, (v) accommodation information, (vi) localfeatures associated with monitoring nodes, (vii) global features, and(viii) monitoring node information.
 5. The system of claim 1, whereinsaid automatic configuration is associated with at least one of: (i)setting up a system model, (ii) identifying operation variables anddefining operation space for normal operation of the asset, (iii)identifying physical measurements, (iv) defining attack scenarios, (v)setting up experimental design information associated with Design OfExperiments (“DOE”).
 6. The system of claim 1, further comprising: afeature extraction computer platform having a memory and a computerprocessor adapted to: generate current feature vectors based on theseries of current monitoring node values; and the abnormal detectionplatform having a memory and a computer processor adapted to: receivethe current data-driven feature vectors, compare the current featurevectors with at least one decision boundary associated with the abnormaldetection model, and transmit an abnormal alert signal based on a resultof said comparison.
 7. The system of claim 6, wherein the at least onedecision boundary and abnormal alert signal are associated with globalfeature vectors.
 8. The system of claim 6, where sub-sets of the currentfeature vectors and decision boundaries are associated with localfeature vectors.
 9. A method associated with a cyber-physical system tobe monitored, comprising: receiving, at a behavior-based assetmonitoring creation computer from a remote operator device, anindication of an asset type of the cyber-physical system to bemonitored; searching, by the behavior-based asset monitoring creationcomputer, a blueprint repository data store and retrieving an electronicfile representing behavior-based asset monitoring parameters, associatedwith failure detection for an industrial asset, for the asset type ofthe cyber-physical system to be monitored, wherein the blueprintrepository data store contains electronic files that representbehavior-based asset monitoring parameters for a number of differentcyber-physical system asset types; receiving, from the remote operatordevice, adjustments to the retrieved behavior-based asset monitoringparameters; automatically configuring, based on the adjustedbehavior-based asset monitoring parameters, at least a portion ofsettings for an abnormal detection model; creating the abnormaldetection model using the automatically configured settings, including:receiving, by a features extraction computer platform from a normalspace data source, a series normal monitoring node values and generate aset of normal feature vectors, the normal space data source storing, foreach of a plurality of monitoring nodes, a series of normal monitoringnode values over time that represent normal operation of thecyber-physical system, receiving, by the features extraction computerplatform from an abnormal space data source, a series of abnormalmonitoring node values and generate a set of abnormal feature vectors,the abnormal space data source storing, for each of the plurality ofmonitoring nodes, a series of abnormal monitoring node values over timethat represent abnormal operation of the cyber-physical system, andautomatically calculating and outputting at least one decision boundaryand a causal dependency matrix for the abnormal detection model based onthe set of normal feature vectors, the set of abnormal feature vectors,and the automatically configured settings; and outputting the abnormaldetection model and causal dependency matrix to be executed by anabnormal detection platform.
 10. The method of claim 9, wherein thebehavior-based asset monitoring parameters are associated with cybersecurity attack detection for the industrial asset.
 11. The method ofclaim 9, further comprising: when an electronic file representingbehavior-based asset monitoring parameters for the asset type of thecyber-physical system to be monitored cannot be found in the blueprintrepository data store: interacting with a subject matter expert todetermine behavior-based asset monitoring parameters for the asset typeof the cyber-physical system to be monitored, and storing, into theblueprint repository data store, behavior-based asset monitoringparameters for the asset type of the cyber-physical system to bemonitored.
 12. The method of claim 9, wherein the behavior-based assetmonitoring parameters for the asset type of the cyber-physical system tobe monitored include at least one of: (i) a Design Of Experiments(“DOE”) matrix, (ii) attack scenarios, (iii) a feature set, (iv)localization information, (v) accommodation information, (vi) localfeatures associated with monitoring nodes, (vii) global features, and(viii) monitoring node information.
 13. The method of claim 9, whereinsaid automatic configuration is associated with at least one of: (i)setting up a system model, (ii) identifying operation variables anddefining operation space for normal operation of the asset, (iii)identifying physical measurements, (iv) defining attack scenarios, (v)setting up experimental design information associated with Design OfExperiments (“DOE”).
 14. A non-transitory, computer-readable mediumstoring program code, the program code executable by a computerprocessor to cause the processor to perform a method for a systemassociate with a cyber-physical system to be monitored, the methodcomprising: receiving, at a behavior-based asset monitoring creationcomputer from a remote operator device, an indication of an asset typeof the cyber-physical system to be monitored; searching, by thebehavior-based asset monitoring creation computer, a blueprintrepository data store and retrieving an electronic file representingbehavior-based asset monitoring parameters, associated with failuredetection for an industrial asset, for the asset type of thecyber-physical system to be monitored, wherein the blueprint repositorydata store contains electronic files that represent behavior-based assetmonitoring parameters for a number of different cyber-physical systemasset types; receiving, from the remote operator device, adjustments tothe retrieved behavior-based asset monitoring parameters; automaticallyconfiguring, based on the adjusted behavior-based asset monitoringparameters, at least a portion of settings for an abnormal detectionmodel; creating the abnormal detection model using the automaticallyconfigured settings, including: receiving, by a features extractioncomputer platform from a normal space data source, a series normalmonitoring node values and generate a set of normal feature vectors, thenormal space data source storing, for each of a plurality of monitoringnodes, a series of normal monitoring node values over time thatrepresent normal operation of the cyber-physical system, receiving, bythe features extraction computer platform from an abnormal space datasource, a series of abnormal monitoring node values and generate a setof abnormal feature vectors, the abnormal space data source storing, foreach of the plurality of monitoring nodes, a series of abnormalmonitoring node values over time that represent abnormal operation ofthe cyber-physical system, and automatically calculating and outputtingat least one decision boundary and a causal dependency matrix for theabnormal detection model based on the set of normal feature vectors, theset of abnormal feature vectors, and the automatically configuredsettings; and outputting the abnormal detection model and causaldependency matrix to be executed by an abnormal detection platform. 15.The method of claim 14, wherein the behavior-based asset monitoringparameters are associated with cyber security attack detection for theindustrial asset.
 16. The medium of claim 14, wherein the method furthercomprises: when an electronic file representing behavior-based assetmonitoring parameters for the asset type of the cyber-physical system tobe monitored cannot be found in the blueprint repository data store:interacting with a subject matter expert to determine behavior-basedasset monitoring parameters for the asset type of the cyber-physicalsystem to be monitored, and storing, into the blueprint repository datastore, behavior-based asset monitoring parameters for the asset type ofthe cyber-physical system to be monitored.